Security is not free

The Vehicle and Operator Services Agency (Vosa) has become less effective in enforcing road traffic legislation, as a result of a government wide rule banning devices holding unencrypted personal data from leaving the office.

…

Transport minister Jim Fitzpatrick said in a written parliamentary answer to Labour MP Kelvin Hopkins on 2 April that the implementation of the data security rule produced “a temporary reduction in Vosa’s normal enforcement performance of about 20%” .

Without knowing anything about what sort of data Vosa held on their unencrypted laptops, that was not self-evidently a good trade off. Designing in security so that the trade off is close to invisible is clearly the ideal, but in practice choices do often have to be made in and about circumstances which fall far short of that ideal. Slightly counter-intuitively, given the events of the last few months, my experience is that it is much easier to get systems locked down than it is to get them opened up (whether the intended locking down is then competently achieved is a separate question). There are two fairly clear reasons for that. The first is risk aversion. The second is more subtle, but is what allows the risk aversion to take hold: adding security is usually somebody’s job; challenging the need to so, or to do so in a particular way, usually isn’t anybody’s job. The result can be that the trade off being made is simply not seen or, if seen, it is taken as axiomatic not just that security trumps everything else but that particular approaches to security are essential. Challenging that view using apparently nebulous arguments about usability, behaviour and effectiveness is not easy